Apparatus, system and method for aircraft security and anti-hijacking intervention

ABSTRACT

A security mechanism identifies users, so as to restrict access and operation to authorized users, such as to persons authorized to access and fly a particular aircraft. The security mechanism comprises one or more security devices to identify the user attempting to gain access or operate the controller; and one or more monitoring devices to determine whether or not the user identified is authorized to have access or operate the controller. Methods of safely operating aircraft are also described. The methods include protocols for limiting access to the aircraft and assuming remote control of the aircraft if a possibly hostile situation is detected.

CROSS REFERENCE TO RELATED APPLICATIONS

The present application is a Continuation-in-Part of U.S. patentapplication Ser. No. 10/894,253, filed Jul. 19, 2004 now U.S. Pat. No.7,376,494, which is a Continuation-in-Part of U.S. patent applicationSer. No. 10/643,101 filed Aug. 18, 2003, which is now U.S. Pat. No.7,024,023, and claims priority from U.S. Provisional Patent ApplicationNo. 60/482,807 filed Jun. 26, 2003, and U.S. Provisional PatentApplication No. 60/609,601 filed Sep. 14, 2004, the entire disclosuresof which are incorporated by reference herein.

FIELD OF THE INVENTION

The present invention relates generally to security mechanisms andmethods, and more particularly to aircraft security mechanisms andmethods.

BACKGROUND OF THE INVENTION

The airline industry has, for over half a century, transported largevolumes of travelers on a daily basis to destinations around the world.One of the primary concerns of the airline industry during this timeperiod has been to maintain the safety of its passengers and aircraft.Over time, the general public, and most airline passengers, developed apositive feeling for airline safety. Statistically speaking, air travelhas been considered safer than other presumably safe activities; forexample, routinely there have been more people involved in auto or gunrelated accidents or fires than people involved in aircraft relatedaccidents. The occasional hijacking was not considered a major threat,as most ended without passenger casualties or damage to aircraft.

The attitude toward air travel forever changed on the morning of Sep.11, 2001, when the World Trade Center in New York, N.Y. and the Pentagonin Washington, D.C. became the objects of a terrorist attack ofpreviously unimaginable proportions. On that day, hijackers took overcontrol of four separate aircraft and then managed to personally flythree of those as weapons of mass murder into the buildings, destroyingthe buildings, surrounding buildings and all three aircraft. The fourthplane crashed into an open field just outside of Pittsburgh following avaliant struggle by passengers to recapture the plane. Tragically, allpassengers on all four planes and several thousand people on the grounddied that day.

Following the aftermath of “911”, there is now a greater emphasis thanever before on improving airline security to try to prevent hijacking ofaircraft. Much of the efforts have been directed to reducing the chancesthat a successful hijacking may occur, such as by instituting morestringent searches at check-in, by placing armed marshal on flights andby better securing the door separating the passenger and cockpit areasof the plane. These efforts, however, have done little to address thesource of the problem, which is hijackers taking over control of anaircraft.

In view of which, there is seen a need to improve the manner by whichthe occurrences of hijacking on aircraft can be reduced.

SUMMARY OF THE INVENTION

In accordance with the present invention, an embodiment comprises asecurity mechanism for identifying individuals, so as to restrictoperation to only those authorized, such as to persons authorized to flya given aircraft. The security mechanism comprises a controller operableby a user; one or more security devices to identify the user attemptingto operate the controller; and one or more monitoring devices todetermine whether or not the user identified is authorized to operatethe controller.

The invention also relates to methods of safely operating aircraft,including methods by which automated or remote control can be assumed inthe event of a possibly hostile situation. The invention also relates tomethods of limiting access to aircraft, authenticating individualsrequesting access to aircraft and categorizing individuals who are givenaccess to aircraft.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a block diagram of an embodiment of a security system inaccordance with the present invention.

FIG. 2 is a partial schematic, partial block diagram of the system ofFIG. 1.

FIG. 3 is a further exemplary embodiment of a controller of FIG. 2.

FIG. 4 is a block diagram of an exemplary application of the system ofFIG. 1.

FIG. 5 is a flowchart showing a method of safely operating an aircraftaccording to an embodiment of the invention.

FIG. 6 is a flowchart representing a method of avoiding prohibitedairspace according to an embodiment of the invention.

FIG. 7 is a flowchart representing a method of limiting and recordingaccess to an aircraft prior to takeoff.

FIG. 8 is a flowchart representing a method of loading cargo onto anaircraft according to an embodiment of the invention.

FIG. 9 is a flowchart representing a method of authenticatingindividuals prior to permitting access to an aircraft according to anembodiment of the invention.

FIG. 10 is a flowchart representing a method of categorizing individualswho are requesting access to an aircraft or a portion of an aircraftaccording to an embodiment of the invention.

DESCRIPTION OF THE INVENTION

In accordance with embodiments of the present invention, apparatus,systems and methods are disclosed for restricting access to and theoperation of an aircraft, vehicle or other device or system to onlyauthorized personnel. In general, as shown in FIG. 1, for the purpose ofrestricting operation of the aircraft, a controller 112 is providedoperable by a user, one or more security devices 114, such as biometricreaders, is provided associated with the controller 112, one or moremonitoring systems 116, such as a computer, is provided in communicationwith the security devices 114 and one or more control mechanisms 118 isprovided in communication with the monitoring systems 116. Any desiredbiometric characteristics may be utilized for this purpose, such as, forexample, fingerprint, retina, facial or DNA characteristics. The one ormore biometric readers 114 may be utilized in a variety of differentmanners, such as being mounted on or integrated within the controller112 or may be a separate device. The following illustrates exemplaryembodiments adapted for aircraft use, such as airplanes or helicopters.

FIG. 2 is a perspective view of an embodiment in which biometric readersin the form of fingerprint and retina readers 119 and 121, respectively,are associated with the control 112, i.e., the controller, of anaircraft. In one preferred embodiment, the fingerprint reader 119 is ofa type that also incorporates a pulse sensor. In the embodiment shown,the fingerprint/pulse reader 119 may be provided on one or both of thecontrol arms 122 a and 122 b. The retina reader 121 is shown providedcentrally disposed between the two upright control arms 122 a/122 b. Asshould be understood, the fingerprint/pulse reader 119 and retina reader121 may be utilized at other desired locations as well, such as thefingerprint/pulse reader 119 being associated with other components orthe retina reader 121 mounted at other locations in the cockpit. Thefingerprint/pulse reader 119 and retina reader 121 may be conventionaldevices, such as any commercially available components, or may bespecially manufactured hardware and/or software where desired.Alternatively, as should be understood, other types of biometric sensorsmay be utilized where desired. In FIG. 3 is illustrated anotherexemplary embodiment of a control 312. In this embodiment, thefingerprint/pulse reader 319 comprises a series of four inward radiusportions 330 shaped to accommodate a user's fingers and a thumb reader332. The remaining portions are the same as that illustrated in FIG. 2.As should be understood, the control may comprise other shapes andconfigurations as well, and should not be construed as being limited tothe designs shown in FIGS. 2 and 3; for example, a single straight arm,circular steering wheel type design, T-shaped , etc.

In addition, preferably the one or more monitoring systems 116, such asa computer illustrated in FIG. 2, is provided in communication with thefingerprint/pulse reader 119 and retina reader 121. The term “computer”as used herein should be broadly construed to comprise any devicecapable of receiving, transmitting, and/or using information, including,without limitation, a processor, a microprocessor, a personal computer,a network server, a distributed computing system involving parallelprocesses over a network, network computing or a mainframe.

As discussed above, the monitoring system 116 is also preferably incommunication with one or more control mechanisms 118 on the aircraft,such as, for example, the control 112, any system controlled by thecontrol 112, the auto-pilot control system, a Global Positioning System(“GPS”), such as a GPS chip, located on the aircraft and/or integratedwithin one or more biometric sensors, or any conventional systems on theaircraft, as examples. The monitoring system 116 may comprise theaircraft's existing on board computer system or may comprise a separatecomputer system located on the aircraft itself or at designatedlocations outside of the aircraft, such as an air traffic controlcenter, which is in communication with the on board computer system ordirectly with the aircraft's security devices 114 and/or controlmechanisms 118.

In addition, the monitoring system 116 may be programmed, such as byauthorized personnel, so as to be responsive to data received from thefingerprint/pulse reader 119 and/or retina reader 121 in order tocontrol specific operations of the aircraft, such as designated ones ofthe aircraft's control mechanisms 118. In some exemplary embodiments,the monitoring system 116 may be preprogrammed so as to grant designatedpersonnel permission to operate the aircraft for specific tasks; forexample, granting only the designated pilot and copilot of a certainflight the ability to fly the aircraft, granting designated crew theability to turn off and/or on the aircraft beacon system, grantingdesignated ground crew and maintenance personnel the ability to servicethe aircraft, etc. In this manner, different types of permissions may begranted where desired to different categories of personnel. Biometricsensors may be utilized wherever restrictions may be desired to operatethe aircraft; for instance, biometric verification required to fly theaircraft, for operation of the beacon control system or for access intodesignated areas, for example, via a biometric interlock on doors,panels and/or hatches providing access to any area on the aircraftpotentially vulnerable to sabotage, such as, for example, providingaccess onto the aircraft itself, into cockpit areas and/or for access tostorage compartments, such as cargo areas underneath the aircraft, etc.In this and other embodiments, the GPS system may operate by sendingpositioning information to designated locations, such as ground control,in response to various occurrences on the aircraft, such as, forexample, where unauthorized persons attempt to fly the plane, a planegoes off its normal course, etc. An exemplary application of thisembodiment is illustrated in the accompanying flow chart of FIG. 4,which is described in greater detail below.

As shown at step 210 in FIG. 4, prior to flight, the pilots and crewthat are pre-authorized have their fingerprint and retina biometricinformation loaded into the designated monitoring system 116, such asthe airplane's on-board computer. As mentioned above, a separatecomputer system located on or outside of the aircraft may be utilized aswell. The biometric data that is loaded may have been previously takenfrom the individuals and stored in a database in electronic form, whichis then transferred to the plane computer. Alternatively, the biometricdata to be loaded may be read from these individuals on site, such as atthe time boarding occurs, and then loaded into the on-board computersystem at that time. In addition, where desired, a separate biometriccheck may be performed to verify identity, such as taken from the pilotsand crew prior to boarding the plane, such as a fingerprint check thatmay be compared against stored biometric data for the designatedpersons, as shown in dotted lines at step 212.

As shown at step 214, the pilot is required to hold the control 112, sothat the pilot's fingerprint/pulse can be detected by thefingerprint/pulse reader 119 and communicated to the monitoring system116 to verify identity. An authorized pilot will be able to fly theaircraft, as shown at step 216. Otherwise, as shown at step 218, thecontrol 112 will not function properly and the individual will not beable to fly the plane; for example, in one embodiment, the monitoringsystem 116 will kick back to auto-pilot mode, as shown at step 220. Theterm “fly” as used herein should be broadly construed to refer to anyphase of an aircraft flight, starting up of the aircraft, movement ofthe aircraft from a fixed position, take-off or landing of the aircraft,taxiing of the aircraft as well as in the air flight. Accordingly, inother exemplary embodiments, where the aircraft is on the ground, forinstance, the monitoring system 116 may operate to prohibit takeoffwhere an unauthorized pilot is detected, for example, by failing to turnon engines, locking of the control 112, etc. Further, where anunauthorized person may place their hand on the control 112 in order totry to fly the airplane, the monitoring system 116 may also communicatethat information to designated authorities, such as, for example, via anunauthorized pilot notification or a disaster alert signal sent toground control, as shown at step 222. The monitoring system 116 may alsoat the same time send the unauthorized person's biometric data todesignated authorities, as shown at step 224, so that a subsequentbiometric check may be performed to uncover the identity of thatindividual. In this embodiment, the pulse sensor of thefingerprint/pulse reader 119 operates to detect further informationabout the condition of the individual holding the control 112, such aswhether or not there is the presence of a pulse, to signify that thehand placed on the control is of a live individual, or if there is arapid or irregular pulse, such as to signify that the individual is in adistressed state. The monitoring system 116 can be programmed to notifyauthorities, such as ground control, if any such unusual pulse readingoccurs, such as, for example, via a distressed pilot notification or adisaster alert, as shown at step 226.

In addition, the retina reader 121 can also be used in this embodimentas an additional level of security, such as to communicate with themonitoring system 116 so as to authorize engagement or disengagement ofthe auto-pilot. For example, the retina reader 121 can verify whether anauthorized pilot is in his or her seat, and control subsequentoperations based that information, where desired, such as to allowdisengagement of the auto-pilot, as shown at steps 228-232. Othersuitable types of biometric devices may be utilized as well wheredesired in place of the retina reader 121; for example, a heat signaturedevice or a camera located in the seat of the pilot rather than a retinareader. In certain embodiments, retina reader 121 can comprise one ormore commercially available cameras adapted for taking a biometric readof the retina of designated persons at specified times. For example, thecamera can of a type activated to take a biometric read anytime there ismotion sensed. For instance, the camera can be mounted in the cockpitarea and operated to take a retina read anytime there is movement by thepilot. In addition, that same camera, or another camera, can be providedto take a photograph of the designated person at the same time a retinaread is taken. Multiple cameras may also be used where desired, such asfor the pilot and copilot, etc. In addition, in this and otherembodiments, the camera can also be activated so as to take a photographof the designated persons at other desired times, such as when anunauthorized person attempts to take the controller or access particularareas, an irregular pulse is detected or any other distressed conditionis detected. The photograph, along with any other desired information,may then be transmitted to desired locations, such as via satellite,cellular or independent transmitter, as examples. Some examples of thedesired locations include, but area not limited to, the airlines, asmentioned above, the Department of Defense and/or Department of HomelandSecurity.

In some embodiments, it may be desired to grant permission to certainadditional persons as a matter of course or in emergency situations tohave limited or full authority to operate the aircraft who originallydid not have that authority. For instance, in certain circumstances, forexample, such as where any crew become ill or incapacitated during aflight, it may be desired that authority to operate a given aircraft begranted to additional persons, such as any off duty crew or anypassenger pilots on the aircraft. In such situations, a biometric checkcan be implemented to verify identity of the additional persons beforeany authority to operate the aircraft will be given. The biometric checkcan be performed on the aircraft and compared against stored biometricinformation contained either on the aircraft, such as contained in theon-board computer, or any database located outside of the aircraft, suchas a database kept by designated authorities, such as by individualairlines, the airline industry or a central reporting database, asexamples. The biometric check can be done by utilizing a separatebiometric device on the aircraft, or by using any of the existingbiometric devices mentioned above, such as the fingerprint/pulse reader119 and/or retina reader 121.

In some embodiments, a flight management system (FMS) or a remotestation can monitor the progress of the aircraft's flight, using, forexample, altitude, course and GPS data. The FMS can be a computer systemprovided as part of the monitoring system 116, integrated therewith, orindependent therefrom. The FMS can compare data relating to the flight'sprogress with a flight plan that has been pre-recorded in memory. Insuch embodiments, the FMS, monitoring system or remote station can alertground controllers or other authorities to deviations from the flightplan for corrective measures, or the FMS can assume automated control ofthe aircraft to prevent the flight from entering prohibited orrestricted air space or if a possibly hostile situation is detected.

FIG. 5 is a flow chart showing how such a system can operate. Box 402represents the status of a flight in computer-guided mode, e.g., withthe auto-pilot engaged, or a flight being monitored by ground controlthrough an airborne flight information system (AFIS). The AFIS providescommunication between the aircraft and ground controllers so that theflight plan can be monitored remotely. The AFIS can be configured toautomatically transmit flight-related data, such as course, altitude andposition, and information received from the monitoring system 116 toground controllers or other authority, and can receive instructionstherefrom without pilot or crew interaction.

During flight operations, a course correction or deviation from theflight plan may be desired for a number of reasons, such as the approachof inclement weather, flight traffic congestion, an obstacle in theflight path or a bird strike. When a course correction is desired, suchas at box 404, the next step of the method will depend upon whether ornot an authorized pilot is at the controller 112 of the aircraft. Asshown at step 406, the biometric readers 114, such as thefingerprint/pulse readers 119 retina reader 121 described above, can beutilized to determine if an authorized pilot is at the controller 112.

If an authorized pilot is at the controller 112, a decision 408 must bemade as to whether there is adequate time for notification of theproposed course correction to ground controllers. If there is sufficienttime to notify ground control of the proposed course correction, theground controllers can be notified, as in step 410. If the proposedcourse correction is found to be suitable by the ground controller, thecourse correction plan can be approved, as at step 412, and a new flightplan generated and uploaded to the aircraft, as shown at step 414. Afterthe new flight plan has been validated at step 416, the computer guidedflight mode (if engaged) can be disengaged as at step 418. The approvedcourse correction can then be initiated, as at step 420, by the pilot.

While the course correction is being executed, ground controllers canassess control of the aircraft through data received from the AFIS,through voice communication with the pilot and/or through the cockpitcamera as at step 422. Assessment of the state of control of theaircraft can include an evaluation of whether an authorized pilot is incommand, or if an unauthorized and potentially hostile individual mayhave seized control of the aircraft. The data received from the AFISthat can be used as part of the assessment can include informationcommunicated from the security devices 114, such as fingerprint/pulsereaders 119 and retina readers 121. Where a possibly hostile situationcan not be ruled out, a potential threat can be assumed as explainedbelow.

If the state of control of the aircraft appears to be acceptable, asshown at step 424, the auto-pilot (the flight management guidancecomputer) can be engaged or re-engaged when the correction has beencompleted, and the new flight plan can be evaluated by the pilot asshown in step 426. At step 428, the modified flight plan and the controlof the airplane can be evaluated by the ground controller, otherauthority and/or monitoring system 116. This step can include anevaluation of whether the new flight plan will bring the aircraftunacceptably close to any prohibited or restricted airspace, such as,for example and without limitation, power generating plants, such asnuclear plants, military installations, government areas, such as theCapital and White House, and national monuments. Prohibited airspaceevaluation can be performed in accordance with the method describedbelow in connection with FIG. 6. If the modified flight plan is found tobe acceptable, the aircraft can resume normal operations as shown in box402.

If the ground controller or other authority finds the progress of theflight, the new flight plan or the control of the airplane to beunacceptable, control of the aircraft can be assumed from the ground orother location remote from the aircraft, such as a chase plane.Alternatively, control of the aircraft can be assumed by an automatedsystem on board the aircraft. In either case, control of the aircraft isat least partially taken away from the pilot, as at step 430. Control ofthe aircraft can be assumed using a variety of different means. Examplesof such means include the provision of a Mission Management Unit (MMU)or a secondary FMS. A MMU is a control system that allows groundcontrollers to override the on-board FMS and aircraft control systems inorder to command the aircraft from the ground through radio or satellitecommunications. A secondary FMS can be pre-programmed with anunalterable flight plan or an alternative contingent flight plan thatcan be activated in the event of an airborne hostile event. When thesecondary FMS is engaged, it can override any commands or control, orselected commands, attempted by the pilot or unauthorized user. Theunalterable flight plan can be hard-programmed into the secondary FMSwith instructions to fly the aircraft to a pre-selected safe altitude orlocation. Assumption of aircraft control can be assumed by a MMU,secondary FMS or other control device anytime a hostile event issuspected.

Other scenarios in which aircraft control can be assumed from theground, another location remote from the aircraft, or by a secondary FMSis if an authorized pilot is not detected at step 406, or if it isdetermined at step 408 that there is not adequate time to notify groundcontrollers of a desired course correction and other conditions are met.If there is no time to notify ground controllers at step 408, such as ifan obstacle is detected in the flight path or in the event of a birdstrike, the auto-pilot (if engaged) can be disengaged at step 432 andshort term course correction can be immediately initiated by the pilotat step 434.

Following any course correction, it can be determined whether the coursedeviation is within the tolerance of the flight plan at step 436. Assuch, the FMS or monitoring system 116 can be preprogrammed withacceptable tolerances or be able to calculate tolerances based on theparticular situation. Tolerances of greater magnitude may be acceptablewhere the aircraft is in transoceanic flight or is otherwise not nearany potential terrorist targets. Lesser tolerances may be appropriatewhere the flight path takes the aircraft near restricted air space orother areas that may contain potential terrorist targets. If it isdetermined that a course deviation is within flight plan tolerance, thenthe course correction can be considered to be complete and the methodresumed at step 424.

If at step 436 it is found that the course deviation is not withinflight plan tolerance, an alarm can be sent to the ground controller,such as by the AFIS, as shown in box 438. Such an alarm can beconsidered a first stage alarm event or alert condition. Upondeclaration of a first stage alarm, the ground controller can attempt toinitiate communication with the aircraft and assess the status of theflight, including the state of control of the aircraft through the AFIS,voice communication and/or the cockpit camera, as in step 422. If, afterthe assessment step 422, it is determined that a hostile event may be inprogress, a second stage alarm or condition event can be declared. Asshown in step 442, a second stage alarm event can be accompanied bycontinuous monitoring of the cockpit camera and preparation by groundcontrol or another authority to assume control of the aircraft.

An elapsed time period threshold can be established for second stagealarm events. If, at step 444, ground controllers determine that ahostile event is not occurring, the second stage alarm condition can becancelled and the ground controllers can re-assess control of theaircraft according to step 422. However, if ground controllers observeevidence of hostile activity, or if the threshold time to make adetermination is exceeded, the ground controller or other authority canassume control of the aircraft via the MMU, or the secondary FMS canassume control.

If a course correction is desired and, at step 406, it is determinedthat an authorized pilot is not in control of the aircraft, a secondstage alarm condition can be immediately declared and the method carriedout directly from step 442.

FIG. 6 shows a method of preventing an aircraft from entering restrictedor prohibited airspace according to some embodiments of the invention.As shown in step 452, a database having information relating toprohibited airspace can be loaded into a computer on the aircraft, suchas the FMS, and can also be available to ground controllers or otherauthorities on the ground. The flight plan for the aircraft can beloaded into the aircraft computers prior to departure (or subsequentlyuploaded as in step 414 of FIG. 5). The flight plan can be entered intothe ground based systems as shown in step 456. At step 458, the flightplan can be compared with the prohibited-airspace database to ascertainwhether or not the flight plan will bring the aircraft too close to orwithin prohibited airspace. In addition, acceptable tolerances to theflight plan can be calculated based on proximity to prohibited airspace,the nature of the prohibited airspace and other factors. If it isdetermined that prohibited airspace may be violated, or if there areother concerns regarding the flight plan, the pilot and the groundcontrollers can agree to adjust the flight plan at step 459 asappropriate.

If adjustments to the flight plan are made, the adjusted flight plan canbe reentered into the aircraft and ground-based computer systems atsteps 454 and 456. Thereafter, the analysis of step 458 can be repeatedas many times as necessary.

If at step 458 it is determined that the flight plan is acceptable, theaircraft is permitted to proceed under the flight plan at step 460. Ifit is desired to adjust the flight plan en route or otherwise makecourse corrections, such as those described above in connection withstep 404, the modification can be entered into the guidance computer ormanual (pilot) control can be assumed as shown in box 462. Whenmodifications to the flight plan are made or if manual flying mode(i.e., the auto-pilot turned off) is initiated, the GPS system onboardthe aircraft can be used for satellite and ground tracking of theflight's progress at step 464. The GPS data, other data communicatedthrough the AFIS, and the modified flight plan can then be analyzed atstep 466 to determine whether the aircraft is proximate to prohibitedairspace or if the flight plan, as modified, includes a vector thatwould violate prohibited airspace tolerance. If, at step 468, it isdetermined that the aircraft is not proximate to prohibited airspace andthat the flight plan includes no vectors that would violate prohibitedairspace tolerance, the aircraft is permitted to proceed with existingflight telemetry as shown at box 460.

If at box 468 it is determined that the aircraft is proximate toprohibited airspace or a flight plan vector would violate prohibitedairspace tolerance, then an alarm condition can be declared, as at box470. Under the alarm condition, it can be determined whether aprohibited airspace violation is imminent. A violation may be imminent,for example, if the aircraft vector is directed at a potential terroristtarget or if the altitude of the aircraft falls below a pre-selectedflight floor restriction as shown at step 472. If it is determined thata prohibited airspace violation may be imminent, the modified flightplan can be overridden and automatically replaced with the originalflight plan or with a contingent flight plan as shown at box 474. Asdiscussed above in connection with step 430 of FIG. 5, the groundcontroller can assume command of the aircraft via the MMU or thesecondary FMS can assume control in order to override the modifiedflight plan.

If at step 472 it is determined that no violation of prohibited airspaceis imminent, it may not be necessary to immediately assume control ofthe aircraft via an MMU or secondary FMS unit. Instead, a coursecorrection can be required so that the aircraft is no longer proximateto prohibited airspace or so that the flight plan includes no vectorsthat would violate prohibited airspace, as shown at step 476. Once asuitable course correction has been determined, the flight plan shouldagain be modified and entered into the computer in accordance with step462. The flight can then be permitted to proceed according to themodified plan and the subsequent steps of the method.

As noted above, some embodiments of the invention relate to methods oflimiting access to the aircraft by passengers and unauthorized crew tofurther enhance safety. The methods of limiting access will now bedescribed in more detail in connection with FIGS. 7 through 10. Themethods can involve establishing one or more databases of passenger andflight staff information, including biometric information. Theappropriate information for each individual that is to have access tothe aircraft can be transmitted from the database to the aircraft andground systems. Individuals requesting access to the aircraft can beidentified at one or more access points, such as the aircraft door orgate, prior to accessing the aircraft. Security devices, such asbiometric readers 119, 121 described above and/or smartcard or namebadge scanners, can be provided at the access point to identifyindividuals. Access to the aircraft can therefore be limited toindividuals who are pre-approved for access.

FIG. 7 is a flow chart showing an overview of a method for limitingpre-departure access. As shown in step 502, the flight preparation cyclecan be initiated prior to any crew member or passenger accessing theairplane. The identities and related information for members of theflight crew and ground crew are recorded in a secure data source andvalidated, as discussed in more detail below. The data shown at box 504can include appropriate biometric information and data encoded on asmartcard or name badge in possesion of the crew for identifying theindividual when necessary.

The identities of the crew members assigned to the particular flight andtheir associated biometric information and/or smartcard data can beloaded to the aircraft computers and ground systems by radio, DVD or anyother secure electronic means at step 506. This limited data subset ofauthorized individuals can be accessed when any individual requestsaccess to the aircraft. If, after biometric scanning, smartcard readingand/or other secure identification process, the crew members areconfirmed to be the appropriate crew members for that flight, access tothe aircraft is authorized as shown in step 508. As shown in step 510,the flight plan can also be entered into a flight management guidancecomputer and/or into the monitoring system 116.

Once individual crew members are authorized, access by the interior crewand ground crew can be recorded at steps 512 and 514. The cockpitcamera, access control devices or other recording devices can also beginrecording access to the cockpit. In addition to recording of cockpitactivity, the image from the cockpit camera can be monitored remotely inreal time by ground personnel until the flight deck has been secured.Flight deck activity recording and monitoring are shown in boxes 516 and518.

While access to the aircraft is being monitored and recorded, automatedviolation monitoring can be performed as shown at box 520. Suchmonitoring can include monitoring of compartments or hatches that shouldnot be accessed and tracking of crew members to make sure that anindividual does not access areas for which that individual is notauthorized. If the automated monitoring detects any possible violations,an alarm can be declared and appropriate response procedures initiatedas at step 522.

A similar database of passenger information and system for passengerauthentication can be established if desired. Once crew members andpassengers have boarded the plane, the airplane exterior can be secured,as shown at step 524, and a preflight checklist can be performed, as atstep 526. As part of the preflight checklist, access data can be sent tothe pilot and/or ground personnel. This report can be reviewed as partof the preflight checklist for any unauthorized access to the aircraft,or any other violations that may have occurred during flightpreparation. If any violations have occurred, the nature of theviolation can be investigated and cleared prior to providing approvalfor flight departure, as at Step 528.

At times it is necessary to make last minute changes to the crew,passengers or cargo onboard the aircraft. If a last minute change isnecessary, as shown in box 530, authentication of the added person orcargo can be performed at step 532. In this regard, tripleauthentication can be performed using biometric readings of the newlyadded person or cargo, the person bringing that newly added person orcargo to the aircraft, as well as the person allowing the newly addedperson or cargo access to the aircraft. In addition to this tripleauthentication, remote approval (from ground personnel) can be obtainedprior to allowing the newly added person or cargo access to theaircraft, as represented by box 534. Once any last minute additions tothe crew, cargo or passengers have been completed, the aircraft exteriorcan again be secured in accordance with step 524 and a new reportgenerated and reviewed as part of the preflight checklist.

Access to the aircraft by ground crew and cargo loading personnel can belimited according to the method shown in FIG. 8. As discussed above,identity and biometric data of all personnel who are authorized to haveaccess to the aircraft is downloaded from a secure data source. As shownin box 552, access to the entire tarmac can be limited to those groundcrew members having authorization to access at least one aircraft on thetarmac. Therefore, ground crew members can undergo biometric scanningprior to being permitted on the tarmac. Once permitted on the tarmac,the cargo loading team can proceed to the aircraft to which they areassigned, as shown in box 554. The ground team gains access to theaircraft when a member of the ground team, such as the Ground Team Lead,patches into an aircraft commport and authenticates his or her identity.Authentication, represented by Box 556, can be performed using a namebadge or smartcard with encoded identifying data, and/or usingfingerprint/pulse authentication or retina scanning at security devicesprovided at the commport. The authentication of the Ground Team Lead orother ground crew member can open an electronic lock to allow accessthrough one or more cargo hatches on the aircraft. Thereafter, theGround Team Lead can authorize the loading of cargo, and the remainderof the ground crew can be authenticated using smart cards or biometricreading each time a ground crew member accesses the aircraft, as shownat boxes 558-562.

As shown at box 564, an electronic display, such as an LED scoreboard,can be provided on or near a portal door at the aircraft. The electronicdisplay can display the number of cargo loading personnel that have beenauthenticated and are authorized to load cargo onto the aircraft. Thisinformation can be transmitted to or monitored by a member of the groundteam, who can visually observe the number of personnel loading cargo, asshown in box 566. If at step 568 it is determined that the number ofpersonnel visually counted does not match the number displayed on theelectronic display, security personnel can be notified and the loadingoperation interrupted. As shown at box 570, the cargo loaded onto theplane can then be inspected. Further, as shown at step 572, it can bedetermined which personnel on or near the aircraft are notauthenticated, or which authenticated personnel are missing. If it isdetermined that an unauthorized individual has accessed the aircraft orthe cargo being loaded onto the aircraft, a hostile situation can bedeclared as at step 574 and an appropriate response initiated. If it isdetermined that no unauthorized personnel have accessed the aircraft andthat no hostile situation is occurring, a report can be made as at box576 and the loading process completed as shown at box 578. Once cargoloading is complete and the loading personnel have departed, the groundteam can lock down the aircraft as shown at box 580.

Provided that there are no last minute additions to cargo, the reportregarding ground team authentications and any violations can be sent tothe pilot for review as part of the pre-flight checklist as shown at box584 and discussed above. Thereafter, the aircraft can be cleared fortakeoff as shown at box 586. If at step 582, additional cargo must beloaded onto the aircraft, the cargo loading team can proceed back to theaircraft and reinitiate the method starting at step 554.

A method of authenticating authorized personnel is shown in more detailin FIG. 9. As noted above and indicated at box 602, a central system isestablished to maintain identity and biometric information regardingpersonnel. The central system includes the ability to add biometricinformation for new staff members and to delete information with regardto terminated staff members. Further, the central system should beconfigured so as to accept and transmit data to and from remote systems.These remote systems, as shown at box 604, can be provided with thecapabilities to add and delete identifying and biometric informationregarding staff, and to accept and transmit data from and to the centralsystem.

At step 606, procedures can be established to safeguard the data. Forexample, privileges to enter, modify and delete data can be restrictedto personnel who have pre-selected security clearance. Background checkscan be performed on each new staff member to be added to the system.Biometric information for new staff can be captured usingfingerprint/pulse readers and/or retina readers as described above.These procedures can be used to enroll staff by capturing eachindividual's biometric information, and adding that information to thedatabase in association with the staff member's identity, identifyinginformation encoded on the staff member's name badge or smartcard, andother information of interest.

If cockpit crews, cabin crews and service crews are selected for aparticular aircraft or flight, the information for that flight can bedownloaded to the aircraft at the appropriate time, as shown at box 610.As indicated by box 612, procedures can be established to ensure thatonly information for the appropriate crew members (i.e., those actuallyassigned to the particular flight) are downloaded to the aircraft.Therefore, staff members who are not assigned to that particular flightwill not be able to authenticate or otherwise gain access to theaircraft. The transmission of the crew information should be performedusing secure network protocols or other means for secure data transferas shown at box 612.

When a staff member attempts to access the aircraft, biometricinformation of that staff member is captured using appropriate biometricreading devices, as at step 614, using the methods and apparatusdescribed above. At step 616, the newly captured biometric informationis compared to the biometric information downloaded to the aircraft fromthe secure database. The comparison of the biometric information of theindividual requesting access and the downloaded information for theappropriate individual can be used to generate a score to determinewhether or not there is a match as shown at 618. The score can be basedon the number of common identifying points from a fingerprintcomparison, common identifying features from the retina reads or otheridentifying characteristics. A comparison resulting in a score above apre-selected threshold can be considered a match. In addition, theindividual's name badge or smartcard can be scanned to read identifyinginformation encoded thereon for comparison with that downloaded from thedatabase. If a match is determined, the individual staff member isauthenticated and is permitted to proceed with access to the aircraft,as at box 620.

If it is determined that there is not a match between the biometricinformation or smartcard data of the individual requesting access andthe downloaded data, the individual's biometric information can bere-read a pre-selected number of times. For example, as shown at box622, if an individual staff member is permitted four scans, and thefourth scan does not produce a match, the individual can be consideredpotentially hostile. In that case, security procedures can beimplemented as shown at box 624 and the individual's biometricinformation can be provided to security personnel or an appropriateauthority. Where four scans are permitted and the individual has beenscanned less than four times, the individual's biometric information canbe re-read at step 614.

FIG. 10 shows a method of categorizing all individuals who are seekingaccess to an aircraft. At box 652, a database is provided having theidentities and associated biometric information for aircraft crew andpassengers. A subset of this data can be limited to only the crewmembers assigned to the flight and the passengers expected to be on theflight. The limited subset of expected individuals can be downloaded tothe aircraft. (The word “cargo” in FIG. 10 is used to mean passengerswhen the method is being used to differentiate or categorize individualsrequesting access to the aircraft.)

The method begins at step 654 by considering all individuals to be“bystanders”. The biometric information for each of these individuals isread and captured by one of the appropriate means described above. Oncebiometric information has been scanned at steps 656, the scannedinformation is then compared to the information contained in thedatabase at step 658. If, at step 662, the individual's newly scannedinformation meets the criteria for a match with that contained in thedatabase, that individual is then categorized as “crew” or “passenger,”as shown at box 664. Smartcards or name badges can also be scanned andcompared to database information for additional security. Onceappropriately categorized, the individual can be given privileges basedon the assigned category, such as access to the appropriate areas of theaircraft. For example, passengers can be given access to the passengercabin; whereas crew members can be given access to their appropriatework areas. It is also possible, as shown at step 666, to provide anindividual with access privileges based on predefined crew status,geographic position or sensor type.

If at step 662 it is determined that the individual's newly scanned datadoes not meet the criteria for a match with information contained in thedatabase, the individual's biometric information can be re-scanned apre-selected number of times. For example, if an individual is to bepermitted four attempts at a successful scan, as shown at box 668, andthe fourth attempt fails, the individual can be considered potentiallyhostile and the newly scanned data can be captured. In that case,security procedures can be implemented as shown at box 670 and the newlyscanned biometric information can be provided to the appropriateauthorities. If, after scanning less than four times, the individual'snewly scanned biometric information does not meet the criteria for amatch, the individual can be re-scanned at step 656. Thus, a method forcategorizing individuals and providing the appropriate access to anaircraft is provided.

If circumstances warrant, it is also possible to use the method tore-categorize individuals after boarding the aircraft. An example ofsuch a circumstance may be that discussed above with regard to grantingprivileges to an off-duty pilot in an emergency or if a crew memberfalls ill. In that instance, smartcard or biometric information can beuploaded to the aircraft via radio or satellite communications from thecentral or a remote database. Thereafter, the passenger can bere-scanned using biometric readers or smartcard scanners onboard theaircraft for authentication and upgrading to crew status. In suchcircumstances, any passenger who attempts to upgrade to crew status andfails authentication can be considered hostile.

As should be understood, the embodiments discussed above can besusceptible to many different modifications or variations. For example,it should be understood that any number of security devices may be usedin connection with embodiments of the present invention, and with anynumber being biometric readers. For instance, in the illustratedembodiment, one or more biometric readers may be utilized where desired,and the biometric readers may be of any desired type, such as afingerprint/pulse reader and/or retina reader as shown or any otherdesired types of biometric reading devices. In addition, in certainembodiments, it may be desired that there be a combination of biometricand nonbiometric type security devices, or that no biometric typesecurity devices be used. In addition, the term “controller” as usedherein should be broadly construed to comprise any mechanism utilizedfor operation of the aircraft, such as the control yoke, as well as anysuitable type of device, system or method for regulating operation, suchas a control of any desired shape, as mentioned above, a keyboard,trigger, buttons, tracking ball, single or dual joystick, lever, wheel,etc. Further, while the illustrated embodiment is described in relationto aircraft, it should be understood that embodiments may also compriseother types of apparatus or systems as well, including vehicles, suchas, for example, military vehicles, commercial vehicles(e.g., trains,buses, trucks, taxi cabs, etc), private vehicles(e.g. passenger cars),or any desired products or equipment, such as controls for nuclearreactors or military weapons, computer terminals, firearms, etc. Theembodiments of the present invention may be implemented using hardwareor software or any combination of the two where desired. Variousembodiments may also be implemented using commercially availabletechnology. Accordingly, it is intended that the invention not belimited to the specific illustrative embodiments, but be interpretedwithin the full spirit and scope of the appended claims and theirequivalents.

1. A method of limiting access to an aircraft comprising: maintaining adatabase having identity and associated biometric information relatingto crew members; assigning at least one category to a group of crewmembers, the category based upon the job title of the crew members;designating access to certain areas of the aircraft to only particularcategories of crew members only if an emergency situation arises;loading the category information to the database; downloading thecategory information to the aircraft; downloading the designated accessinformation to the aircraft; downloading a subset of information fromthe database to the aircraft, the subset consisting essentially ofinformation relating to crew members that are assigned to the aircraftfor a particular flight; reading biometric information of an individualrequesting access to the aircraft; comparing the biometric informationread from the individual requesting access to the information downloadedto the aircraft to determine if there is a match; if a match isdetermined, determining a category of the individual requesting accessto the aircraft, granting the individual access to only the areas of theaircraft to which the category is designated; if no match is determined,denying the individual access to the aircraft, generating a report thatincludes the individual's biometric information and information relatingto the aircraft access attempt and providing the report to at least oneof a crew member and ground personnel for immediate investigation of theaccess violation; preparing a preflight report relating to aircraftaccess attempts, the preflight report comprising any access violationsto one or more areas of the aircraft, and reviewing the preflight reportas part of a preflight checklist; and providing the individual'sbiometric information to security personnel.
 2. The method of claim 1further comprising the step of remotely monitoring the cockpit until thecockpit is secured and remotely monitoring at least one storagecompartment.
 3. The method of claim 1 further comprising the step ofsecuring the exterior of the aircraft after passengers, crew and cargois aboard the aircraft.
 4. The method of claim 3 wherein if anadditional crew member, passenger, or cargo is to be added to theaircraft after the exterior of the aircraft has been secured, the methodfurther comprises the step of triple authenticating the additional crewmember, passenger, or cargo.
 5. The method of claim 4 wherein the stepof triple authenticating comprises the steps of reading biometricinformation of the newly added crew member, passenger or cargo, theperson bringing that newly added crew member, passenger or cargo to theaircraft, and the person allowing the newly added person or cargo accessto the aircraft.
 6. The method of claim 4 further comprising the step ofpreparing a report relating to aircraft access, including any accessviolations, and reviewing the report as part of a preflight checklist.7. The method of claim 6 further comprising the steps of: updating thereport after an additional crew member, passenger, or cargo is added tothe aircraft after the exterior of the aircraft has been secured; andreviewing the updated report as part of the preflight checklist.
 8. Themethod of claim 7 further comprising the step of granting departureapproval after clearing any access violations noted in the report.
 9. Amethod of claim 1 comprising, if no match is determined, readingbiometric information of an individual requesting access to theaircraft, comparing the biometric information read from the individualrequesting access and determining whether there is a match, before thegenerating a report step.
 10. A method of claim 1 further comprising:flying the aircraft if there are no access violations on the preflightreport; reading biometric information of an individual requesting accessto a designated area of the aircraft; determining the category of theindividual requesting access to a designated area of the aircraft;comparing the category of the individual against the area of theaircraft to which the individual is requesting access; granting theindividual access to the area of the aircraft if the area is designatedto the individual's category; denying the individual access to the areaof the aircraft if area is not designated to the individual's category,generating a report that includes the individual's biometric informationand information relating to the aircraft access attempt and providingthe report to at least one of a crew member and ground personnel forimmediate investigation of the access violation and providing theindividuals biometric information to security personnel.
 11. The methodof claim 1 further comprising the step of monitoring any accessviolations with automated means.
 12. The method of claim 11 furthercomprising the steps of declaring an alarm and initiating a response ifthe automated means detects an access violation.
 13. A method of claim1, further comprising the step of reading a crew member's fingerprint,pulse, retina, facial or DNA characteristics and loading informationobtained into the database before the maintaining step and reading acrew member's fingerprint, pulse, retina, facial or DNA characteristicsas part of the reading biometric information step.
 14. A method of claim13 further comprising the step of comparing the pulse provided beforethe maintaining step against the pulse provided as part of the readingbiometric information step to determine if the pulse is irregular and ifthe pulse is irregular, invoking the steps wherein no match isdetermined.
 15. A method of claim 13 wherein the comparing stepcomprises comparing each of the biometric information obtained beforethe maintaining step against each of the biometric information obtainedat the reading step and generating a score based upon how closely theinformation obtained at the reading step matches the informationobtained before the maintaining step and permitting access if the scoreis above a predetermined score and invoking the steps wherein no matchis determined if the score is below a predetermined score.